truecryptrussia.ru has been serving modified versions of the encryption software (Win32/FakeTC) that included a backdoor to selected targets.

Win32/FakeTC - data theft from encrypted drives

The Potao main DLL only takes care of its core functionality; the actual spying functions are implemented in the form of downloadable modules. The plugins are downloaded each time the malware starts, since they aren’t stored on the hard drive.

1st Full Plugin and its export function is called Plug. Full plugins run continuously until the infected system is restarted

2nd Light Plugin with an export function Scan. Light plugins terminate immediately after returning a buffer with the information they harvested off the victim’s machine.

Some of the plugins were signed with a certificate issued to “Grandtorg”:

Traffic

Strong encryption. The data sent is encapsulated using the XML-RPC protocol.

After receiving the request the C&C server generates an RSA-2048 public key and signs this generated key with another, static RSA-2048 private key .

In 2nd stage the malware generates a symmetric AES-256 key. This AES session key is encrypted with the newly received RSA-2048 public key and sent to the C&C server.

The actual data exchange after the key exchange is then encrypted using symmetric cryptography, which is faster, with the AES-256 key

The Potao malware sends an encrypted request to the server with computer ID, campaign ID, OS version, version of malware, computer name, current privileges, OS architecture (64 or 32bits) and also the name of the current process.

Russian TrueCrypt Win32/FakeTC - The malicious program code within the otherwise functional TrueCrypt software runs in its own thread. This thread, created at the end of the Mount function, enumerates files on the mounted encrypted drive, and if certain conditions are met, it connects to the C&C server, ready to execute commands from the attackers.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.